Skip to content

SSL Setup

Jump to bottom Edit New page
Travis edited this page Aug 30, 2016 · 8 revisions

SSL Configuration

Amqphp supports SSL with client certificates and peer verification via. the StreamSocket class which uses the low-level PHP streams API. To set up an SSL connection you must use the correct options in the Connection constructor which accepts a nested associative array that defines all connection parameters. The parameters which matter to SSL are (assuming that $arg is the constructor argument):

  1. $arg['socketImpl'] = "\\amqphp\\StreamSocket" This forces the use of the StreamSocket class which is required for SSL
  2. $arg['socketParams']['url'] = "ssl://blah.com:5671" This value is passed directly to the low level stream_socket_client function's first argument, and so the URL must use the ssl:// scheme
  3. $arg['socketParams']['context']['ssl']['...'] = '...' The context sub-array is passed to stream_context_create and eventually used when opening the SSL connection, so any of the SSL context options which are available on your system can be set here.

Using client certs with PHP can be tricky as you have to concatenate multiple SSL certs together before passing the cert file to PHP. If you've followed the RabbitMQ SSL tutorial and created your own self-signed server and client certs, you should prepare these for PHP as follows:

# For the client cert
cat client/key.pem > php-client-cert.pem
cat client/cert.pem >> php-client-cert.pem
cat testca/cacert.pem >> php-client-cert.pem

# For the Server cert
cat server/key.pem > php-server-cert.pem
cat server/cert.pem >> php-server-cert.pem
cat testca/cacert.pem >> php-server-cert.pem

Here's a complete example which uses XML to represent the connection parameters (you can use this with the Factory component).

<!-- SSL Connection -->
<conn_params>
  <vhost k="string">/</vhost>
  <username k="string">testing</username>
  <userpass k="string">letmein</userpass>
  <heartbeat k="int">2</heartbeat>
  <socketImpl k="string">\amqphp\StreamSocket</socketImpl>
  <socketParams>
    <!-- url MUST be ssl://blahblahblah -->
    <url k="string">ssl://192.168.122.10:5671</url>

    <!--
        For a simple SSL connection that doesn't use either client
        certificates or peer verification, you can omit the context
        element
    -->
    <context>
      <ssl>
        <!--
            If your rabbitmq.config file has
            "{fail_if_no_peer_cert,true}" then you *must* provide a
            local_cert
        -->
        <local_cert k="string">/home/robin/crts/php-client-cert.pem</local_cert>

        <!--
            If you switch on broker verification with the verify_peer
            flag, then you must provide a cafile element containing a
            validation cert
        -->
        <verify_peer k="integer">1</verify_peer>
        <cafile k="string">/home/robin/crts/php-server-cert.pem</cafile>
      </ssl>
    </context>
  </socketParams>
</conn_params>

For users who don't use the Factory, substitute a associative array having the same nesting hierarchy.

Add a custom footer
Add a custom sidebar

Clone this wiki locally